Method and system for performing a commercial transaction by using a short message service terminal

ABSTRACT

Method for performing a commercial transaction wherein a customer having a computer connected to a public network such as the Internet network and a SMS terminal is able to receive and send SMS messages over a telephone network and can order an article by using the computer to a commercial server connected to the public network.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of co-pending U.S. patent applicationSer. No. 11/081,045, filed Mar. 15, 2005, and claims the benefit offoreign priority to European Application No. 04368020.6 filed Mar. 25,2004, the entire content and disclosure of each of which is herebyincorporated herein by reference.

FIELD OF THE INVENTION

This invention relates to systems enabling users of any public networksuch as the Internet network to purchase articles on sale on commercialsites and in particular relates to a method for performing a commercialtransaction by using a Short Message Service (SMS) terminal.

BACKGROUND OF THE INVENTION

There are more and more users of public networks such as the Internetnetwork who are also customers doing electronic business by orderingarticles offered by commercial sites. Electronic payment over a publicnetwork is a major issue for customers as well as for the commercialsites. The most secure payment method requires extra equipment be addedto the customer machine to read a credit card. Unfortunately, this typeof equipment is not widely available. The most common way of paymentremains the use of a Secure Socket Layer (SSL) connection between thecommercial site and the customer browser. SSL is a protocol thatprovides privacy over the Internet. However, even with this method, thecustomer credit card number is still sent over the public network makingthis information the most desirable data for hackers.

In order to avoid the drawbacks of public networks such as the Internet,another method to conduct electronic business uses SMS messages that canbe easily sent from any mobile telephone. But SMS messages have thedrawback that the service is generally unsuitable for electroniccommerce where a secure and controlled data delivery is required. Thisproblem has been solved by the system described in PCT patentapplication WO 03/063528 wherein, when an SMS message is transmitted viaa cellular transmission network from a sender to a recipient, it isrequired to acknowledge receipt in a predetermined way and anacknowledgement message is subsequently transmitted to the sender of theSMS message.

Even though the system described above is more secure when using the SMSmessages, the customer is still required to pay for the articles orderedon a commercial site by using a credit card. Therefore, the number ofthe credit card has to be either forwarded to the commercial site withthe risks of being uncovered by hackers attacking the database of thecommercial server or to be requested by a payment server using theInternet network with the risk of being intercepted by hackers when itis transmitted over the network.

OBJECTS AND SUMMARY OF THE INVENTION

Accordingly, one object of the invention is to achieve a method forperforming a commercial transaction with a commercial site where thecustomer is not required to forward a credit card number to thecommercial site after ordering articles over a public network such asthe Internet network.

Another object of the invention is to achieve a method for performing acommercial transaction with a commercial site wherein SMS messages areused for identifying and authenticating a customer after the customerhas ordered articles by using a public network such as the Internetnetwork.

According to one aspect of the invention there is provided a method forperforming a commercial transaction wherein a customer having a computerconnected to a public network and an SMS terminal can receive and sendSMS messages over a cellular network and can order an article by usingthe computer to a commercial server connected to the public network. Themethod comprising the following steps:

sending an SMS message from the commercial server through the cellularnetwork, the SMS message including at least the address on the cellularnetwork of a payment server including information about the article, thecustomer, after receiving the SMS message on the SMS terminal,redirecting to the payment server a modified SMS message and adding tothe modified SMS message at least the information enabling theidentification of a customer payment means.

According to another aspect of the invention there is provided a systemfor performing a commercial transaction wherein a customer having acomputer connected to a public network and an SMS terminal is able toreceive and send SMS messages over a cellular network and can order anarticle by using the computer connected to a commercial server and tothe public network. The system comprises a payment server in charge ofdebiting an account of the customer with the article price and in thatthe commercial server includes means for sending to the SMS terminal anSMS message including at least the address on the cellular network ofthe payment server so that the computer can send a modified SMS messageincluding information to enable the payment server to identify acustomer payment means.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the inventionwill be better understood by reading the following more particulardescription of the invention in conjunction with the accompanyingdrawings wherein:

FIG. 1 is a block diagram representing a system wherein the methodaccording to the invention is implemented; and

FIG. 2 is a diagram representing an SMS message and the fields thereofwhich are used to transport the information about the commercialtransaction.

DETAILED DESCRIPTION OF THE INVENTION

According to a preferred embodiment illustrated in FIG. 1, a user 10 isconnected to a public network 12, such as the Internet network, by acomputer 14 and is connected to a cellular network 13, such as theGlobal System for Mobile communications (GSM) network or an equivalentnetwork, by a mobile terminal 16.

The user 10 is a customer who is able to surf with a web browser on thesite of a commercial server 18 through the public or Internet network.Assuming that customer 10 orders an article, the commercial server 18which is also connected to an Intranet network 20 or other similarprivate network sends a SMS message to the customer. This SMS message issent through the network 20 and is sent over the cellular network 13through an SMS gateway 22.

The SMS message sent by the commercial server 18 and received by themobile terminal 16 of the customer 10 asks the customer to provide somedata to a payment server 24 connected to the Internet network. The SMSmessage containing now the requested information necessary to identifythe customer and the number of the customer's payment card is redirectedby the cellular network to the payment server through a SMS gateway 28and over another Intranet network 26. Therefore, the sensitiveinformation such as the customer identification number and the paymentcard number is neither transported over the Internet network nor sharedwith the commercial server 18, which are both not secure enough to avoidsuch sensitive information from hackers. Note that the security can beincreased by an authentication server 30 in charge of authenticating thecustomer by an identification number on request of the payment server24. An example of an identification number is a Mobile StationIntegrated Services Digital Network (MSISDN) in the case of the GSMnetwork.

The SMS message sent by the commercial server 18 to the mobile terminal16 is illustrated in FIG. 2. It is a data frame as specified in the 3GPPTechnical Specification document “Generation partnership project”;Technical specification group terminals; Technical realization of theShort Message Service (SMS).

The SMS message contains an SMS frame header and a SMS frame body alsoknown as the TP-UD (Transfer-layer Protocol User Data), which maycomprise the short message content, i.e. the commands to manage the SMSreceiving device, and in addition a User Data Header (UDH). The presenceof a UDH is identified by the setting of an indicator in the SMS frameheader, namely the User Data Header Indicator (UDHI). When the UDHIvalue is set to zero, the TP-UD field comprises only the short message.When the UDHI value is set to one, which is the case in the invention,this means that the TP-UD field comprises a User Data Header.

The User Data Header is composed of a User Data Header Length (UDHL) anda plurality of Information Elements (IE1 to IEn). Some InformationElements are currently reserved and other IE groups, at least three IEs,are not allocated and free of use. The invention allocates three IEgroups for signaling the redirection of the SMS message as explainedhereafter.

The three Information Elements used in the SMS according to theinvention are as follows:

1. Redirect routing number

It is the MSISDN to which the SMS has to be routed, that is the MSISDNof the payment server

2. Data acquisition

It describes the type of data entered by the customer before reroutingthe SMS

3. Message to be routed

It is the message sent by the commercial server and rerouted to thepayment server. This message contains information belonging to thetransaction (order identifier, customer name, article price)

It must be noted that data sent by the user can be encrypted with a keyprovided by the commercial server. Generally, this key is the public keyof the payment server and is contained in the Data acquisition element.

The contents of the Data acquisition element are the following:

First byte

Bits 7 6

0 0 No input

0 1 Unused

1 0 Alphanumeric input

1 1 Numeric input

Input Digits count qualifier

Bit 5

Number of digits required

Maximum number of digits

Bit 4 3

0 0 No encryption

0 1 Encryption with provided key

Bits 2 1 0 Unused

Second byte

Input Digits count

Bits 7 6 5 Unused

Bits 4 3 2 1 0 (Min 1 Max 32

Third byte Encryption key length

Fourth byte to byte n Encryption key

As mentioned in the IE Data acquisition, the first byte indicateswhether a numeric input must be input or not. In fact there are threepossibilities within the scope of the invention:

The SMS message requests the user to input his/her card number so thatthe payment server may authenticate the user by verifying that the ownerinformation associated with this card number corresponds to theinformation provided by the commercial server. Security is ensured bythe fact that the card number is transferred over a GSM link more securethan an Internet link and the card number does not transit through thecommercial server and is not kept on said commercial server data base.In this case, a message is displayed on the screen of the mobileterminal, for example,

“you ordered a Palm PDA at price 350

. Confirm by entering your Visa card number + # + personal code andpress OK”

b) The SMS message requests the user to input his/her card number as inthe first embodiment by displaying a message on the screen, but thepayment server has the capability to authenticate the user by MSISDN.This method increases the security as the transaction must be done withthe mobile terminal of the customer registered in the commercial server.

c) The SMS message does not request entry of the card number as above.Instead, a pin code is entered to increase security. The payment serverauthenticates the user by his/her MSISDN number and retrieves the cardnumber associated with it. With this method, the card number does nottransit on any network.

After the SMS message has been received by the user and information isinput or not in Data acquisition as explained above, an SMS message isre-directed to the payment server. This redirected message may containtwo Information elements.

1. Message to be routed which includes the same information as receivedby the user, that is the information belonging to the transaction (orderidentifier, customer name, article price).

2. Local data

This information element contains the data entered by the user. The datais encrypted or not depending of the flag set in Data acquisitionelement of the received message.

After authentication of the customer by the payment server and thecustomer account debit, the payment server informs the commercial serverthat the transaction has been completed successfully and/or the customerthat the account debit has been completed. Then the commercial servermay send a transaction receipt by mail to the customer.

It must be noted that, though the invention has been described in apreferred embodiment wherein the customer uses a mobile terminal, theinvention could be implemented in any system wherein the customer has aterminal able to receive and send SMS messages over the GSM network orany other equivalent network different from the Internet network.

What is claimed is:
 1. A method for conducting a commercial transactionbetween a customer and a commercial server, the customer having acomputer and an SMS terminal, said method comprising: the customer usingthe computer to send an order for an article through a public network toa commercial server; sending an SMS message, through a cellular network,from said commercial server to the SMS terminal, said SMS messageincluding a redirect routing number, and an encryption key; saidcustomer adding to said SMS message information enabling identificationof a customer payment means; encrypting said information in the SMSmessage by using said encryption key; redirecting the SMS message, withsaid encrypted information therein, through said cellular network, fromsaid SMS terminal to a payment server by using said redirect routingnumber.
 2. The method according to claim 1, wherein said encryption keyis a public encryption key.
 3. The method according to claim 2, whereinsaid encryption key is a public encryption key of the payment server. 4.The method according to claim 1, wherein the sending an SMS messageincludes setting in the SMS message a flag for indicting to the paymentserver that the SMS message redirected to the payment server includesinformation encrypted using said encryption key.
 5. The method accordingto claim 1, wherein said redirect routing number includes anidentification number of said payment server on said cellular network.6. The method according to claim 1, further comprising said paymentserver authenticating said customer by using an identification number ofsaid customer on said cellular network.
 7. The method according to claim1, wherein said sending includes said SMS message requesting saidcustomer to input a customer card number into said SMS terminal, saidcard number being included in said SMS message redirected to saidpayment server.
 8. The method according to claim 1, wherein said sendingincludes requesting said customer to input a PIN code into said SMSterminal, said PIN code being included in said SMS message redirected tosaid payment server to retrieve said customer card number.
 9. The methodaccording to claim 1, wherein said adding to said SMS message includesadding to said SMS message an order identifier, a customer name and anarticle price.
 10. The method according to claim 1, further comprisingsaid payment server authenticating said customer; and afterauthenticating said customer, debiting a customer's account andinforming said commercial server that said commercial transaction hasbeen completed successfully.
 11. A system for conducting a commercialtransaction between a customer and a commercial server, the customerhaving a computer and an SMS terminal, and wherein the customer uses thecomputer to send an order for an article through the public network tothe commercial server, said system comprising: a payment server fordebiting a customer account with a price for said article price; andmeans operating on the commercial server for sending an SMS message,through a cellular network, to the SMS terminal, said SMS messageincluding a redirect routing number, and an encryption key, wherein thecustomer adds to said SMS message information enabling identification ofa customer payment means and encrypts said information using saidencryption key, and the SMS message is redirected, by using saidredirect routing number, and with said encrypted identificationinformation, from said SMS terminal to said payment server through saidcellular network.
 12. The system according to claim 11, wherein saidencryption key is a public encryption key.
 13. The system according toclaim 12, wherein said public encryption key is a public encryption keyof the payment server.
 14. The system according to claim 13, wherein thesending an SMS message includes setting in the SMS message a flag forindicating to the payment serer that the SMS message redirected to thepayment server includes encrypted information encrypted using saidencryption key.
 15. The system according to claim 11, wherein saidcustomer payment means is a credit card.
 16. The system according toclaim 11, wherein said cellular network is a GSM network.
 17. The systemaccording to claim 11, wherein said SMS terminal is a mobile terminal.18. The system according to claim 11, wherein said redirect routingnumber includes an identification number of said payment server on saidcellular network.
 19. The system according to claim 11, wherein saidpayment server authenticates said customer by using an identificationnumber of said customer on said cellular network.
 20. The systemaccording to claim 11, wherein the payment server decrypts theinformation received from the customer through the cellular network,authenticates the customer, and informs the commercial server that thetransaction has been completed.